MAKING THE GRADE: While DHS has earned failing grades for its systems security for the last two years, CISO Bob West's security evaluations could be helping to turn things around.

The mood in the meeting room at the Homeland Security Department's CIO of-fice was tense already when Bob West made his proposal.

It was midday on a Wednesday in earlyspring last year, and the department'sCIOs had gathered in the nondescriptfederal building near L'Enfant Plaza inWashington for their weekly review ofDHS' most pressing technology issues'aregular meeting that routinely calledforth strong opinions.

West, the department's chief informationsecurity officer, was proposing to sendan IT security evaluation team'what theCISO office called a 'boarding party''intoone of DHS' 'big six' agencies, the headlineorganizations that field thousands oftechnology users and hundreds of systems.The idea wasn't going over well withthe CIOs in the room'except for one.

West's group already had conducted a securityevaluation at one DHS agency, finding,among other things, that the agencyhad a poor grasp of its own systems. TheCIOs at the meeting, who had pushed backat West's IT security evaluations from thebeginning, vocally condemned the proposalfor a second boarding.

Recalling the meeting, West said, 'I didn'tsay anything, which is unusual for me.'

But in a moment that suggested a signof hope for West, and DHS, the CIO ofthat first agency reviewed by the boardingparty spoke up to defend and recommendthe security evaluation.

'The CIO said the boarding partyprocess was 'one of the most empoweringthings that ever happened to me as aCIO. Now, [IT professionals in theagency] are coming to me with theirproblems,' ' West recounted.

It was a small ray of light, perhaps, butone that helps reveal the other side of DHS'story. Even as the department has stumbledthrough project failures, stalled duringleadership vacuums and withstood witheringcriticism, DHS has delivered some projectsthat serve as exemplars of technologymanagement and are improving prospectsfor better project performance.

Tech leadership

The special report in this GCN issue andthe next pinpoints these examples of DHStechnology leadership and traces howtheir success could help the departmentimprove other stumbling IT operations.

This issue focuses on IT projects alreadywell under way that incorporate pocketsof progress, while the next issue of GCNexamines pending or fledgling programsthat show the way forward. They rangefrom traveler identification and portmonitoring systems to terrorist screeningapplications and online mapping sites.

These successes have been accomplishedagainst a backdrop of well-knownfailures, including an array of IT projectsthat are in many cases delayed, overbudget or performing poorly (see chart).

Stumbling blocks have included turnoverin critical leadership jobs that has leftmany component agencies rudderless, aswell as the department's drifting courseand subsequent disruption by secretaryMichael Chertoff's Second Stage Reviewshake-up last year. But in some areas atleast, DHS seems to be turning a corner.

At a glance, IT security might not appearto be a pocket of progress. It has been butone leitmotif in DHS' three-year, off-keysymphony of costly, failed technology projects,which according to the steady flow ofaudit reports, news stories and congressionalhearings, have delayed the agency'sdeployment of IT to meet its mission.DHS has earned failing grades on its FederalInformation Security ManagementAct scorecard for the last three years.

And IT security remains one of DHS'most glaring vulnerabilities, officials concede.'We have a long way to go,' saidTony Cira, the CIO office's director of informationoperations and a veteran DefenseDepartment IT manager.

But advances in security technology andprocedures appear to be laying the groundworkfor better performance.

'We have gotten beaten up on security,'CIO Scott Charbo conceded. But he saidthere is 'real security value' in severalpending department projects, such as therollout of employee credentials that will comply with Homeland Security Presidential Directive 12.

West contends that his security operationwill certify and accredit 100 percentof DHS' systems by the end of fiscal 2006.Currently, about 60 percenr are accedited.

Through this activity, West's office hasengaged the department's IT officials in thetask of assigning ownership to all of themore than 700 systems in the department.

During interviews with senior departmentIT staff, they cited estimates of thedepartment's systems ranging from 760systems to more than 800, and eventuallyconceded that methods of countingsystems vary.

In addition to its overall problems inmounting specific programs, the departmenthas inherited a hodgepodge of agencieswith widely varying goals and dissonantIT cultures.

James Lewis, director of the Center forTechnology, said, 'Even within agenciesthat have been around for a while, therereally isn't a single approach.'

But West and his team are driving to imposeuniformity across the department byvarious means, such as adopting certainNational Institute of Standards and TechnologyIT standards and building a common,mandatory standards framework.

In addition, technology leaders havepinpointed which agencies are leadersand laggards by compiling a chart thatdescribes, among other things, the percentagegap between the total number ofeach component's systems and those thathave been certified and accredited.

According to the chart, the Coast Guardis the best-performing agency, with all ofits systems certified and accredited.

Close behind is the U.S. Visitor and ImmigrantStatus Indicator Technology program,which has only 2 percent of systemsnot yet certified and accredited. Thoseagencies, and others with low proportionsof unexamined systems, qualifiedfor 'green' C&A ratings.

Unexamined systems

Other agencies, such as the TransportationSecurity Administration, had higherlevels of unexamined systems as of April,according to the chart, and earned yellowratings.

The worst rating level is the red designation,earned by agencies such as the FederalLaw Enforcement Training Centerand the Office of Intelligence and Analysis,with gaps well into the double digits.

Cira said he plans to bring in the NationalSecurity Agency's Blue and Red teamsof IT security specialists to analyze DHS'networks and systems, and pinpoint areasfor improvement.

In terms of IT security,West said, 2005 was theyear of creating a systemsinventory and installingautomated systems for securitycompliance, such asTrusted Agent FISMAfrom Trusted Integration Inc. of Alexandria, Va.

'In August 2005, wekicked off a week-long securityevent at which secretary[Michael] Chertoff announcedthe department'sremediation plans,' Westsaid. 'In 2007, it will be theyear of raising the bar.'

The department will relyon role-based training, tailoringemployees' security knowledgelevels to their job needs, West said. Thatwill be done with the assistance of an enterprisewidelearning management systemto implement and track trainingprogress, he said.

'When I came in this job in July[2005], we were red-red [on security],'Charbo said, referring to the department'sfailing grades on security statusand on security progress.

'We are still red on status, but we aregreen on progress,' Charbo said.As the department begins to shore up itsshaky security posture, it also will pressforward with a comprehensive technologyupgrade that already has brought goodresults, and promises to improve newprojects' chances for success.

Acting CIO, Rear Adm. Ron Hewitt of theCoast Guard, led the effort when DHS technologyofficials planned the IT InfrastructureTransformation Program in early 2005.

The most important way ITP differsfrom the department's previous technologyupgrade efforts is that it drives the responsibilityfor planning and managingspecific IT upgrades down to DHS' majorcomponent agencies [GCN, Aug. 29,2005, Page 1]. 'Putting the ownership ofthe [IT makeover] projects in those componentsis just a way of leveraging [theircapabilities],' Charbo said. For example:

The Coast Guard was given responsibilityfor consolidating and reforming DHS'e-mail systems and help desk operations.

Customs and Border Protection got thejob of merging DHS data centers andnetworks, notably on a sensitive but unclassifiednetwork known as OneNet, aswell as secret and top-secret networksthat have allowed the department to almosteliminate its reliance on the Pentagonfor classified network services.

The Federal Emergency ManagementAgency took control of providing sensitivebut unclassified video network services.

The Office of the Chief Procurement Of-ficer took the job of consolidating thedepartment's IT purchasing via twoprocurement vehicles, now pendingaward, known as Eagle and FirstSource [GCN, Aug. 22, 2005].

But ITP also tapped the technologymanagement resources of DHS agenciesthat were in many cases better fundedand more mature than the headquartersorganizations.

ITP already has scored a signal success that affects the daily work of thousands ofDHS employees. In October, the CoastGuard rolled out a consolidated directoryof the e-mail addresses of DHS employees.Previously, the department's employeesand their contractors had no simpleway to make contact with their counterpartsin other DHS agencies.

The Coast Guard is still working to consolidateDHS' gaggle of e-mail systems,which range from the time-worn Lotuscc:Mail through various Microsoft andNovell systems.

But now at least, DHS is beginning toachieve the ability to talk to itself.

'Before we got this directory, distributinga simultaneous departmentwide messagevia our counterparts in other directorateswas a difficult exercise,' one departmentofficial said recently.

'We did it by cascade: We would sendit to one directorate office after anotherand then arrange to have it releasedacross each directorate simultaneously,'the official said.

DHS officials expect the e-mail consolidationprogram to reduce the number ofservers devoted to that function from about1,200 to about 30, with attendant improvementsin security, reliability and cost.

Department officials look for substantialimprovement in their IT procurementwhen the Eagle and First Source contractawards roll out this summer.

'The ITP is a program management discipline,'Cira said, noting that a centralfunction of the project is to standardizethe department's IT management work.

So far, DHS officials have kicked offITP's rollout of FEMA's video serviceswork and the Coast Guard's help desk ande-mail projects, Charbo said during a recentinterview.

ITP's future stages have been planned andare poised for launch, Cira added. 'Rightnow, it is not a matter of making it happen,we are doing it,' Cira said. 'We have thespecifications, and we have the design.'

During a discussion of DHS' pending ITprojects, Charbo said, 'I came into thisjob in July [2005]. It is hard to build aservice-type organization overnight.'

But Charbo's own performance appearsto have met with his superiors' approval,because he recently received theadditional job of deputy secretary formanagement. While his new job likelywill saddle Charbo with additional,time-consuming duties, it also gives himfinal say over the department's technologyagenda, as many have recommended[GCN, June 5, Page 5].

The other stories in this issue examine existingDHS programs that are delivering resultsand improving their performance inthe fields of screening and targeting, maritimedomain awareness, geospatial activitiesand anti-counterfeiting.

The improvements from these projectsreflect how DHS itself is gradually comingof age.

'For the first two years, we didn't have astrategic plan [for managing IT],' PreparednessDirectorate CIO Church said,referring to his directorate's predecessororganization, the Infrastructure Protectionand Information Awareness Directorate.

'Now, we are in Version 2.0 [of ourdirectorate's enterprise architecture] andsoon we [will] have Version 3.0.'

DHS' technology structure still facessteep obstacles, not to mention resourcefuland determined enemies as well as seriousnatural perils.

But as for winning the battle to create afunctioning IT environment, the department'scurrent status recalls the words ofWinston Churchill when the Royal AirForce won the Battle of Britain. 'This isnot the end. It is not the beginning of theend. But it is the end of the beginning.'

NEXT WEEK IN GCN: DHS technologyprojects either being planned or in theirearly stages hold out the hope for improvedperformance in the fields of data centerand network consolidation, radio frequencyidentification devices and biometrics,border technology and IT procurement.